Bug ID 1003765: Authorization header signature triggered even when explicitly disabled

Last Modified: Feb 07, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 17.0.0, 17.0.0.1, 17.0.0.2

Fixed In:
17.1.0, 16.1.4, 15.1.4.1

Opened: Mar 18, 2021

Severity: 4-Minor

Symptoms

Requests with base64 encoded Authorization header with disabled signatures might result in a blocking page even though the specific signature is disabled.

Impact

A signature violation is detected, even though the signature is disabled.

Conditions

Base64 encoded Authorization header is included in the request.

Workaround

None

Fix Information

No violation for disabled signatures.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips